Closed
Bug 899659
Opened 11 years ago
Closed 10 years ago
evaluate isForeignInstall for detecting side installs
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr31 | --- | wontfix |
People
(Reporter: mmc, Assigned: kmag)
References
(Blocks 1 open bug)
Details
(Keywords: sec-other)
Attachments
(1 file)
2.99 MB,
application/x-ms-dos-executable
|
Details |
+++ This bug was initially created as a clone of Bug #899173 +++ From https://bugzilla.mozilla.org/show_bug.cgi?id=899173#c12, there is a field isForeignInstall in the xpi DB that was added to detect side-installs. From mossop's comment this field might have no false positives. This could be used in conjunction with the preference extensions.autoDisableScopes if it turns out to have better coverage for detecting side-installed addons.
Reporter | ||
Updated•11 years ago
|
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → kmaglione+bmo
Assignee | ||
Comment 1•11 years ago
|
||
I found an installer today which side-installs an add-on, bypasses about:newaddon, and does so without setting the foreignInstall flag. I don't have the details yet, but I suspect that it modifies extensions.sqlite to bypass the opt-in.
Assignee | ||
Comment 2•11 years ago
|
||
Ah. It looks like it's just dropping it in the `staged/` directory. It does contain sqlite3.dll, but it doesn't seem to actually touch any of our databases.
Assignee | ||
Comment 3•11 years ago
|
||
Which is bug 870031
Assignee | ||
Comment 4•10 years ago
|
||
Resolving as fixed, since the details are currently pretty well understood: • The foreign install flag does give good indications of foreign installs as generated by many installers, and high correlation between enabled status and foreign install flag gives us a good indication of silent installs • However, there are many methods of bypassing the foreign install flag, the simplest of which is to dump the add-on in the `staged/` directory, which also bypasses `autoDisableScopes` and thus triggers a silent install. Restricting access to this bug, since I don't want the above to be especially public.
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
Keywords: sec-other
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•